topic Preventing NIS+ users from logging in in Operating System - HP-UX

Preventing NIS+ users from logging in

Brian Kennedy — Tue, 21 Aug 2001 10:20:10 GMT

I have a NIS+ netgroup structured as show below:

--snip--
uadm (user1,-,) (user2,-,)
users uadm (user3,-,) (user4,-,)
--snip--

All end-users workstations are NIS+ clients and Trusted systems.
Here is the expected behaviour: on workstation 1, I'd like only users belonging to map @uadm having their access granted on the system and on workstation 2, all users having normal access.

In fact, I'd like the 'compat' behaviour for passwd and group maps (thus allowing me to select granted NIS+ users), but Trusted Systems do not support this syntax (having +/- signs into /etc/passwd before conversion).

Any ideas?

Thanks a lot in advance.

Regards.
/Brian

Re: Preventing NIS+ users from logging in

Ravi_8 — Tue, 21 Aug 2001 13:33:52 GMT

Hi,
NIS+ wouldn't work if your system is trusted one.
If you wanted to achive this on your client, make the following additions in /etc/passwd file.
in workstation1 : at the end of the file just add +user1:::
+user2:::
...
....
so the user1,user2,.. can only access the workstation1.
In workstation 2 at the end of the file just add +::: and also in /etc/group file.
Now workstation2 accessible for all NIS+ users.

Re: Preventing NIS+ users from logging in

Barry O Flanagan — Tue, 21 Aug 2001 13:43:23 GMT

Have to disagree with Ravi there - NIS+ does work in a trusted environment!

But in answer to the question - netgroup should function exactly as it does in a NIS environment with the proviso that nsswitch.conf has the following line :

netgroup: nisplus files

... or something similar?

Why not create a group in the netgroup called machine1_ok or something like that and add that then as the + entry ?

Re: Preventing NIS+ users from logging in

Ravi_8 — Tue, 21 Aug 2001 13:59:27 GMT

Hi, Barry
pls go thru trusted system docs, it clearly says that NIS+ wouldn't work. if it works how can the audit takes place for all the NIS+ users who logged into system

Re: Preventing NIS+ users from logging in

Barry O Flanagan — Tue, 21 Aug 2001 14:10:10 GMT

Ravi,

I can assure you NIS+ and trusted systems work quite happily together. I've implemented NIS+ servers and clients, all of which were trusted systems. NIS+ keeps itself in sync with whats going on in the local /tcb/files/auth structure. So as long as you stick your nisplus entry into your nsswitch.conf then your sorted.

What aspect of NIS+ doesn't work with trusted systems Ravi?

Re: Preventing NIS+ users from logging in

Brian Kennedy — Tue, 21 Aug 2001 14:30:40 GMT

Thanks for your help.

Auditing works perfectly well for me too, even if my system is trusted and a NIS+ client.

Barry, the + entry (in fact, the "compat" mode) does not work when the system has previously been tsconvert'd. I thought there were another way just to prevent user1 and user2 from logging into workstation1, while they can log into workstation2; a way to "disable" certain accounts on workstation1 but not on workstation2, considering that both workstations are NIS+ clients of the same NIS+ domain.

Any ideas?
TIA

/Brian

Re: Preventing NIS+ users from logging in

Barry O Flanagan — Wed, 22 Aug 2001 13:41:07 GMT

The only thing I can think of is to set up sub-domains. Make machine1 a member of subdomain1 and machine 2 a member of subdomain2 - then the fact that each user or NIS+ principal must have a local credential in that domain in order to view objects in it, should remove visability of the more restricted machine from users that dont have a cred.

Its worth a shot!! Otherwise dump NIS+ and go back to good old NIS. ;-)

B